Wildcards in reverse DNS

Mark Andrews Mark_Andrews at isc.org
Fri Jan 5 13:24:42 UTC 2007

> Mark Andrews wrote:
> > For those of you who think NAT's are great try connecting
> > to a port forwarded service from behind a NAT.  I've yet
> > to see a NAT box do this right.  The NAT box should be
> > able to loop the traffic around.  Instead we are forced
> > to kludge solutions to this in the DNS.
> No, a *properly* behaving NAT should always allow looping back. If you 
> Are runnign a NAT that doesn't allow this, then it is broken. You cannot 
> put down NAT just because of broken implimentations.
> > Look back through the archive of this list and you will
> > see some of the problems NAT's cause.
> Again, bad NAT or improperly configured NAT software/hardware is the 
> problem, not NATs in and of them selves, it's a fundemental difference.

	NAT is broken by design.  It depends upon there being a unique
	indentifier in the upper layer protocols to demux the incoming
	data stream.  No such identifier exist for *all* protocols that
	run on top of IPv4.

	You can usually get away with it for TCP, UDP and ICMP if you
	initiate the connection from inside.  If you want to have multiple
	servers on the inside you loose out.
> > IPv6 is a significant step forward. It has enough address
> > space the every home can have it's own network with global
> > address for each device in the home if they want.
> Yes, but in order to use it you have to turn your network world as you 
> se it upside down, and for many it doesn't seem worth all that. I think 
> many are just waiting for a much beter soution.

	Have you run a IPv6 network?

	As long as you can get external IPv6 connectivity (achievable
	via tunnels if you ISP doesn't yet support IPv6).  You just
	enable IPv6 on the machines, add their addresses to the DNS
	if they havn't done that themselves and most things just

	I don't call that "turning the network upside down".

	If you look at the headers of this email you will see
	that the outbound mail from my machine at home leaves here
	via IPv6.

	It just works.
> > There are lots of things you can do when you have a
> > globally routable IP address that you can't do from
> > behind a NAT.
> Name one. With properly configured NAT, I've not had one single problem 
> routing things between various servers, no matter what they run. A 
> proper NAT will allow you to set up routes to services and also allow 
> the preservation of ports (other wise ceratin service do indeed break if 
> they aren't routed back to an expect port and instead to a 
> random-un-priv, etc etc.)

	Try running multiple ntp daemons from inside syncing to the
	same external time sources.  It doesn't work properly.  There
	is not enough information to demux the replies correctly.

	Try running a active FTP client.

	Try running a passive FTP server.

	Try running multiple servers.

	Try running multiple VOIP phones with default configurations.

	You have to do a whole lot of workarounds or limit the
	available modes.

> It all depends on the implimentation, and if it's behaving correctly.
> NAT32e is a good example of how a properly configured NAT should behave.
> > Bring on IPv6.
> Bring on something better, and more compatible with IPv4, please. 

	IPv6 is very compatible with IPv4.  Just about everything
	that works with IPv4 will work with IPv6 provided the
	implementations have the socket establishment re-written
	to be protocol independent.  There are a few exception and
	they usually embed IPv4 addresses in the upper layers.

	Anything that just does or the equivalent on the client side
	will work.

		connect() / sendto()

	Anything that does just this on the server side will just work.

		listen() + accept() / recvfrom()
	That's the majority of network programs.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list